[LON-CAPA-cvs] cvs: loncom / loncapa_apache.conf /auth lonwebdavacc.pm lonwebdavauth.pm /html/adm nowebdav.html /lonnet/perl lonnet.pm doc/loncapafiles loncapafiles.lpml

raeburn raeburn at source.lon-capa.org
Sun Feb 26 22:06:46 EST 2012


raeburn		Mon Feb 27 03:06:46 2012 EDT

  Added files:                 
    /loncom/auth	lonwebdavacc.pm lonwebdavauth.pm 
    /loncom/html/adm	nowebdav.html 

  Modified files:              
    /loncom	loncapa_apache.conf 
    /doc/loncapafiles	loncapafiles.lpml 
    /loncom/lonnet/perl	lonnet.pm 
  Log:
  - Bug 6034.
    - webDAV access to Authoring Spaces.
    - requires prior migration of Authoring Spaces from /home/<user>/public_html 
      to /home/httpd/html/priv/<domain>/<user>
    - Work in progress.
  
  
-------------- next part --------------
Index: loncom/loncapa_apache.conf
diff -u loncom/loncapa_apache.conf:1.209 loncom/loncapa_apache.conf:1.210
--- loncom/loncapa_apache.conf:1.209	Wed Dec 28 22:41:16 2011
+++ loncom/loncapa_apache.conf	Mon Feb 27 03:06:37 2012
@@ -1,7 +1,7 @@
 ##
 ## loncapa_apache.conf -- Apache HTTP LON-CAPA configuration file
 ##
-## $Id: loncapa_apache.conf,v 1.209 2011/12/28 22:41:16 raeburn Exp $
+## $Id: loncapa_apache.conf,v 1.210 2012/02/27 03:06:37 raeburn Exp $
 ##
 
 #
@@ -38,7 +38,9 @@
 Alias /zipspool/ /home/httpd/zipspool/
 Alias /prtspool/ /home/httpd/prtspool/
 Alias /captchaspool/ /home/httpd/captchaspool/
+Alias /webdav/ /home/httpd/html/priv/
 ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
+DAVLockDB /home/httpd/webdav/DAVLock
 
 # ================================================================= Directories
 
@@ -269,6 +271,22 @@
 ErrorDocument	  500 /adm/errorhandler
 </LocationMatch>
 
+<LocationMatch "^/+webdav/[\w\-]+/[\w\-]+/">
+AuthType Basic
+AuthName "LONCAPA username,domain"
+Require valid-user
+SSLRequireSSL
+PerlAuthenHandler Apache::lonwebdavauth
+PerlAuthzHandler Apache::lonwebdavacc
+Dav On
+DirectoryIndex index.missing
+Options Indexes FollowSymLinks
+ErrorDocument     403 /adm/nowebdav.html
+ErrorDocument     404 /adm/notfound.html
+ErrorDocument     406 /adm/unauthorized
+ErrorDocument     500 /adm/errorhandler
+</LocationMatch>
+
 <LocationMatch "^/+raw.*">
 PerlAccessHandler Apache::lonracc
 </LocationMatch>
@@ -1459,6 +1477,7 @@
 
 PerlSetVar	 lonVersion   '<!-- VERSION -->'
 PerlSetVar       lonIDsDir    /home/httpd/lonIDs
+PerlSetVar       lonDAVsessDir /home/httpd/webdav/sessionIDs
 PerlSetVar       lonTabDir    /home/httpd/lonTabs
 PerlSetVar       lonUsersDir  /home/httpd/lonUsers
 PerlSetVar       lonIconsURL  /adm/lonIcons
Index: doc/loncapafiles/loncapafiles.lpml
diff -u doc/loncapafiles/loncapafiles.lpml:1.787 doc/loncapafiles/loncapafiles.lpml:1.788
--- doc/loncapafiles/loncapafiles.lpml:1.787	Thu Feb 23 21:48:23 2012
+++ doc/loncapafiles/loncapafiles.lpml	Mon Feb 27 03:06:43 2012
@@ -2,7 +2,7 @@
  "http://lpml.sourceforge.net/DTD/lpml.dtd">
 <!-- loncapafiles.lpml -->
 
-<!-- $Id: loncapafiles.lpml,v 1.787 2012/02/23 21:48:23 raeburn Exp $ -->
+<!-- $Id: loncapafiles.lpml,v 1.788 2012/02/27 03:06:43 raeburn Exp $ -->
 
 <!--
 
@@ -417,6 +417,18 @@
 </directory>
 <directory dist='default'>
   <protectionlevel>modest_delete</protectionlevel>
+  <targetdir dist='default'>home/httpd/webdav</targetdir>
+  <categoryname>server standard</categoryname>
+  <description>for storage of webdav DAVLock files</description>
+</directory>
+<directory dist='default'>
+  <protectionlevel>modest_delete</protectionlevel>
+  <targetdir dist='default'>home/httpd/webdav/sessionIDs</targetdir>
+  <categoryname>server standard</categoryname>
+  <description>for storage of webdav session files</description>
+</directory>
+<directory dist='default'>
+  <protectionlevel>modest_delete</protectionlevel>
   <targetdir dist='default'>home/httpd/lib</targetdir>
   <categoryname>server readonly</categoryname>
   <description>location of LON-CAPA software modules and
@@ -5639,6 +5651,13 @@
 <status>works/unverified</status>
 </file>
 <file>
+<source>loncom/auth/lonwebdavacc.pm</source>
+<target dist='default'>home/httpd/lib/perl/Apache/lonwebdavacc.pm</target>
+<categoryname>handler</categoryname>
+<description>authorization for webDAV access to Author Spaces</description>
+<status>works/unverified</status>
+</file>
+<file>
 <source>loncom/lontrans.pm</source>
 <target dist='default'>home/httpd/lib/perl/Apache/lontrans.pm</target>
 <categoryname>handler</categoryname>
@@ -5803,6 +5822,13 @@
   <status>works/unverified</status>
 </file>
 <file>
+<source>loncom/auth/lonwebdavauth.pm</source>
+<target dist='default'>home/httpd/lib/perl/Apache/lonwebdavauth.pm</target>
+<categoryname>handler</categoryname>
+<description>authenticate, set up session environment for webDAV</description>
+<status>works/unverified</status>
+</file>
+<file>
 <source>loncom/auth/lonlogout.pm</source>
 <target dist='default'>home/httpd/lib/perl/Apache/lonlogout.pm</target>
 <categoryname>handler</categoryname>
@@ -6056,6 +6082,15 @@
 </description>
 </file>
 <file>
+<source>loncom/html/adm/nowebdav.html</source>
+<target dist='default'>home/httpd/html/adm/nowebdav.html</target>
+<categoryname>interface file</categoryname>
+<description>
+static html page that is shown when an attempt is made to access 
+an inaccessible path using webDAV.
+</description>
+</file>
+<file>
 <source>loncom/html/adm/help/searchcat.html</source>
 <target dist='default'>home/httpd/html/adm/help/searchcat.html</target>
 <categoryname>interface file</categoryname>
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1154 loncom/lonnet/perl/lonnet.pm:1.1155
--- loncom/lonnet/perl/lonnet.pm:1.1154	Thu Feb 16 19:31:14 2012
+++ loncom/lonnet/perl/lonnet.pm	Mon Feb 27 03:06:46 2012
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # TCP networking package
 #
-# $Id: lonnet.pm,v 1.1154 2012/02/16 19:31:14 raeburn Exp $
+# $Id: lonnet.pm,v 1.1155 2012/02/27 03:06:46 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -595,13 +595,21 @@
 
 # ---------------------------------------------------- Check for valid session 
 sub check_for_valid_session {
-    my ($r) = @_;
+    my ($r,$name) = @_;
     my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));
-    my $lonid=$cookies{'lonID'};
+    if ($name eq '') {
+        $name = 'lonID';
+    }
+    my $lonid=$cookies{$name};
     return undef if (!$lonid);
 
     my $handle=&LONCAPA::clean_handle($lonid->value);
-    my $lonidsdir=$r->dir_config('lonIDsDir');
+    my $lonidsdir;
+    if ($name eq 'lonDAV') {
+        $lonidsdir=$r->dir_config('lonDAVsessDir');
+    } else {
+        $lonidsdir=$r->dir_config('lonIDsDir');
+    }
     return undef if (!-e "$lonidsdir/$handle.id");
 
     my $opened = open(my $idf,'+<',"$lonidsdir/$handle.id");

Index: loncom/auth/lonwebdavacc.pm
+++ loncom/auth/lonwebdavacc.pm
# The LearningOnline Network
# Authorization Handler for webDAV access to Authoring Space. 
#
# $Id: lonwebdavacc.pm,v 1.1 2012/02/27 03:06:33 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#

=pod

=head1 NAME

Apache::lonwebdavacc - webDAV Authorization Handler

=head1 SYNOPSIS

Invoked for /+webdav/[\w\-]+/[\w\-]+/ by
/etc/httpd/conf/loncapa_apache.conf:

PerlAccessHandler       Apache::lonwebdavacc

=head1 INTRODUCTION

This module enables authorization for authoring space
and is used to control access for the following type of URI:

 <LocationMatch "^/webdav/[\w\-]+/[\w\-]+>

This module is only called following successful authentication. 
Unless lonOtherAuthen has been set, so Single Sign On can be used,
successful authentication will have created a session file and
transferred the contents to the user's environment.

In the case of SSO, there is no existing user environment, but  
$r->user will have been set to the user's username, following 
successful authentication.  For SSO, the webDAV session file
and environment are set up by a call to 
Apache::lonwebdavauth::init_webdav_env().

Note: because Apache Basic Auth is used for authentication (unless SSO)
webDAV access is only available for servers running Apache with SSL.

This is part of the LearningOnline Network with CAPA project
described at http://www.lon-capa.org.

=head1 HANDLER SUBROUTINE

This routine is called by Apache and mod_perl.

=over 4

=item *

Checks if $env{'user.environment'} is defined.

=item *

If no %env, this was SSO authentication so call to &sso_login() to
create session, and return cookie. 

=item *

Checks if requested URL (of form /webdav/authordomain/authorname) is valid
and whether authenticated user has an active author or co-author
role in the corresonding Author Space. 

=back

=head1 NOTABLE SUBROUTINES

=over

=item * sso_login()

=over 

=item *

Called if no user.environment exists in %env.

=item *

Checks if $r->user contains a valid user.

=item *

Domain is set either from lonSSOUserDomain perlvar (if defined)
or from lonDefDomain perlvar.
 
=item *

For a valid user a new session file and is created, and the corresponding 
cookie is returned to the client in an Apache response header.

=back

=back

=cut

package Apache::lonwebdavacc;

use strict;
use GDBM_File;
use Apache::Constants qw(:common :http :methods);
use Apache::lonnet;
use LONCAPA qw(:DEFAULT :match);

sub handler {
    my $r = shift;
    my $timetolive = 600;
    my $now = time;
    my $sessiondir=$r->dir_config('lonDAVsessDir');

    my ($adom,$aname);
    unless ($env{'user.environment'}) {
        my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
        if ($handle eq '') {
            $handle = &sso_login($r,$sessiondir,$now,$timetolive);
            if ($handle eq '') {
                return FORBIDDEN;
            }
        } else {
            &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
        }
    }
    my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'});
    if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
        return FORBIDDEN;
    }

    ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
    my $docroot = $r->dir_config('lonDocRoot');
    if ($adom eq '' || $aname eq '') {
        return FORBIDDEN;
    } elsif (!-d "$docroot/priv/$adom/$aname") {
        return FORBIDDEN;
    }
    # FIXME method check for MKCOL MOVE PUT DELETE for *.log, *.bak
    # FIXME method check for regexp for "version-style" names: /\.\d+\.\w+$/
    # for MOVE PUT MKCOL 
    if (($env{'user.name'} eq $aname) && ($env{'user.domain'} eq $adom)) {
        if ($env{"user.role.au./$adom/"}) {
            return OK;
        }
    } else {
        if (($env{"user.role.ca./$adom/$aname"}) ||
            (env{"user.role.aa./$adom/$aname"})) {
            return OK;
        }
    }
    return FORBIDDEN;
}

sub sso_login {
    my ($r,$sessiondir,$now,$timetolive) = @_;
    my ($uname,$udom);
    my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\- at .]*)/);
    unless ($uname =~ /^$match_username$/) {
        return;
    }
    $udom = $r->dir_config('lonSSOUserDomain');
    if ($udom eq '') {
        $udom = $r->dir_config('lonDefDomain');
    }
    unless (($udom =~ /^$match_domain$/)) {
        return;
    }
    my $uhome = &Apache::lonnet::homeserver($uname,$udom);
    if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
        return;
    }
    my $handle = 
        &Apache::lonwebdavauth::init_webdav_env($sessiondir,$uname,$udom,
                                                $uhome,$now,$timetolive);
    if ($handle ne '') {
        my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
        $r->header_out('Set-cookie' => $cookie);
        $r->send_http_header;
    }
    return ($handle);
}

1;

Index: loncom/auth/lonwebdavauth.pm
+++ loncom/auth/lonwebdavauth.pm
# The LearningOnline Network
# Authentication Handler for webDAV access to Authoring Space.
#
# $Id: lonwebdavauth.pm,v 1.1 2012/02/27 03:06:33 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#

=head1 NAME

Apache::lonwebdavauth - webDAV Authentication Handler

=head1 SYNOPSIS

Invoked for /+webdav/[\w\-]+/[\w\-]+/ by 
/etc/httpd/conf/loncapa_apache.conf:

PerlAuthenHandler	Apache::lonwebdavauth

=head1 INTRODUCTION

This module employs Apache Basic Auth authentication and is used
to provide authentication for webDAV client access to author
space(s). Note: because Apache Basic Auth is used, webDAV access
is only available for servers running Apache with SSL.

If the webDAV client supports cookies then whenever the client  
sends the cookie back, a check is made to see if a corresponding
valid session file exists in the server's webDAV session directory.
Support for cookies by webDAV clients is optional.

If a valid session file exists, a cookie is returned containing
the session ID,  otherwise a new session file is created and
returned in the cookie.

The perlvar "lonDAVsessDir" in /etc/httpd/conf/loncapa_apache.conf
provides the directory location: /home/httpd/webdav/sessionIDs.

If the session is stale, or the cookie is missing or invalid, 
the user is re-challenged for login information. If the perlvar
lonOtherAuthen has been set, Single Sign On will be used, otherwise
an Apache Basic Auth request will be sent to the client.

If Apache Basic Auth is used, successful authentication will
result in creation of a webDAV session file containing a 
minimal set of information about the user which will also be 
loaded into the user's environment.  The environment persists
until the end of the Apache request, when it is cleaned up
by lonacc::cleanup, as is the case for requests for non-webdav URLs.

If a valid session file exists, a cookie is returned containing
the session ID, otherwise a new session file is created and
returned in the cookie.

This is part of the LearningOnline Network with CAPA project
described at http://www.lon-capa.org.

=head1 HANDLER SUBROUTINE

This routine is called by Apache and mod_perl.

=over 4

=item *

Check for valid webDAV session

=item *

No session? - if SSO enabled: return DECLINED

=item *

No session? - if SSO not enabled: return AUTH_REQUIRED
which will prompt webDAV client to authenticate user 
(via Apache Basic Auth).

=item *

If authenticated, call &init_webdav_env() to create sessionID
and populate environment, and send header containing cookie.

=back

=head1 NOTABLE SUBROUTINES

=over

=item * init_webdav_env()

=over

=item *

Checks for valid session files in webDAV session directory.

=item * 

Calls Apache::lonnet::transfer_profile_to_env() to create
%env for user if session is valid. 

=item * 

Otherwise creates new session file and populates %env. 

=item *

Session ID file is a GDBM file containing:

=over

=item * user.name, user.domain, user.home, user.environment

=item * user.role entries for:

active author, co-author, and assistant co-author roles
in domains hosted on this machine.

=back

=back

=back

=cut 

package Apache::lonwebdavauth;

use strict;
use GDBM_File;
use Apache::Constants qw(:common :http :methods);
use Apache::lonnet;
use LONCAPA qw(:DEFAULT :match);

sub handler {
    my $r = shift;
    my $now = time;
    my $timetolive = 600;
    my $sessiondir=$r->dir_config('lonDAVsessDir');
    my ($uname,$udom,$uhome);

# Check for cookie
    my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
    if ($handle ne '') {
        my $sesstime;
        ($uname,$udom,$sesstime,$uhome) =  
            ($handle =~ /^($match_username)_($match_domain)_(\d+)_\d+_(.+)$/);
        if ($sesstime) {
            if ($now-$sesstime < $timetolive) {
                if (&Apache::lonnet::homeserver($uname,$udom) eq $uhome) {
                    &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
                    return OK;
                }
            }
        }
    }

    if ($r->dir_config('lonOtherAuthen') eq 'yes') {
        if (defined($r->dir_config('lonOtherAuthenType'))) {
            $r->auth_type($r->dir_config('lonOtherAuthenType'));
        }
        return DECLINED;
    }

    my ($status,$upass) = $r->get_basic_auth_pw;
    return $status unless ($status == 0 || $status == OK);

    if ($r->user =~ /,/) {
        ($uname,$udom) = split(/,/,$r->user);
        unless (($uname =~ /^$match_username$/) && ($udom =~ /^$match_domain$/)) {
            $r->note_basic_auth_failure;
            return AUTH_REQUIRED;
        }
    } else {
        $uname = $r->user;
        ($udom) = ($r->uri =~ m{^/webdav/($match_domain)/});
        unless (($udom ne '' ) && ($uname =~ /^$match_username$/)) {
            $r->note_basic_auth_failure;
            return AUTH_REQUIRED;
        }
    }
    if (&Apache::lonnet::domain($udom) ne '') {
        if (&Apache::lonnet::homeserver($uname,$udom) ne 'no_host') {
            my $uhome = &Apache::lonnet::authenticate($uname,$upass,$udom);
            if (($uhome ne 'no_host') && 
                (&Apache::lonnet::hostname($uhome) ne '')) {
                $handle = &init_webdav_env($sessiondir,$uname,$udom,
                                           $uhome,$now,$timetolive);
                if ($handle ne '') {
                    my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
                    $r->header_out('Set-cookie' => $cookie);
                    $r->send_http_header;
                }
                return OK;
            }
        }
    }
    $r->note_basic_auth_failure;
    return AUTH_REQUIRED;
}

sub init_webdav_env {
    my ($sessiondir,$uname,$udom,$uhome,$now,$timetolive) = @_;
    my $handle;
    my $currnewest = 0;
    if ($sessiondir ne '') {
        if (opendir(DIR,$sessiondir)) {
            while (my $filename=readdir(DIR)) {
                if ($filename=~/^($uname\_$udom\_(\d+)\_\d+\_$uhome)\.id$/) {
                    my $oldhandle = $1;
                    my $sesstime = $2;
                    if ($now-$sesstime < $timetolive) {
                        if ($sesstime > $currnewest) {
                            $currnewest = $sesstime;
                            if ($handle ne '') {
                                unlink("$sessiondir/$handle.id");
                            }
                            $handle = $oldhandle;
                            next;
                        }
                    }
                    unlink($sessiondir.'/'.$filename);
                }
            }
            closedir(DIR);
        }
    }
    if ($handle ne '') {
        &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
        return $handle;
    } else {
        my $id = $$.int(rand(10000000));
        $handle = "$uname\_$udom\_$now\_$id\_$uhome";
        my $sessionfile = "$sessiondir/$handle.id";
        if (tie(my %disk_env,'GDBM_File',"$sessionfile",
                &GDBM_WRCREAT(),0640)) {
            $disk_env{'user.name'} = $uname;
            $disk_env{'user.domain'} = $udom;
            $disk_env{'user.home'} = $uhome;
            $disk_env{'user.environment'} = $sessionfile;
            my $possroles = ['au','ca','aa'];
            my @possdoms = &Apache::lonnet::current_machine_domains();
            my %cstr_roles =
                &Apache::lonnet::get_my_roles($uname,$udom,'userroles',
                                              undef,$possroles,\@possdoms);
            foreach my $item (keys(%cstr_roles)) {
                my ($aname,$adom,$role) = split(/:/,$item);
                if ($role eq 'au') {
                    $disk_env{"user.role.$role./$adom/"} = $cstr_roles{$item};
                } else {
                    $disk_env{"user.role.$role./$adom/$aname"} = $cstr_roles{$item};
                }
            }
            @env{keys(%disk_env)} = @disk_env{keys(%disk_env)};
            untie(%disk_env);
        }
        return $handle;
    }
    return;
}

1;

Index: loncom/html/adm/nowebdav.html
+++ loncom/html/adm/nowebdav.html
<html>
<body bgcolor="#FFFFFF">
<img src="/adm/lonKaputt/lonlogo_broken.gif" align="left">
<h1>Sorry!</h1>
<h2>webDAV not available</h2>
</body>
</html>


More information about the LON-CAPA-cvs mailing list